Meanwhile, other researchers and antimalware companies have been blogging about steep declines in the number of infections. It turns out they were fooled by Flashback.

There's an algorithm in Flashback that sets up a new "phone home" URL every 24 hours. Dr. Web cracked the naming system, allowing the company to set up sinkholes on those URLs and count the number of infected machines that hit them. According to Dr. Web's site, apparently nobody noticed until late last week that after contacting the daily URL, Flashback then contacts the "the server at 74.207.249.7, controlled by an unidentified third party. This server communicates with bots but doesn't close a TCP connection. As the result, bots switch to the standby mode and wait for the server's reply and no longer respond to further commands. As a consequence, they do not communicate with other command centers."

The server at 74.207.249.7 puts the infected machine on hold, which keeps it from contacting the next daily URL. Speculation is that Flashback will start phoning the daily URL again when a Mac is rebooted. Newly infected Macs would also phone the daily URL.

As I explained last week, Flashback started out as a simple Trojan last September. It tried to trick Mac users into installing the malware, disguising it as an update to the Flash player. But in February it took a menacing turn, adding drive-by infection techniques. Nobody seems to know exactly when the current triple-threat version of Flashback appeared, but it was definitely in the wild in late March. Dr. Web posted information about it on March 27 and started tracking infected systems with its sinkhole on April 3. Throughout this timeline, Apple has been dropping the ball.

There are three exploits used by the latest version of Flashback:

Java vulnerability CVE-2012-0507 was fixed by Oracle on Feb. 15. On March 28, Blackhole added CVE-2012-0507 to its arsenal, and Metasploit followed on March 30. Apple's first patch for OS X CVE-2012-0507 appeared on April 3. Elapsed time: 48 days.

Java vulnerability CVE-2011-3544 was fixed by Oracle on Nov. 18, 2011. It was added to both Metasploit and Blackhole on or about Nov. 30. Apple's first patch for OS X CVE-2011-3544 appeared on March 29. Elapsed time: 132 days.

Apple patched the third vulnerability, CVE-2008-5353, way back in May of 2009. Elapsed time from the Sun patch: 163 days.

Woody Leonhard writes computer books, primarily about Windows and Office; he's currently working on the Win 10 follow-up to the thousand-page "Windows 8.1 All-in-One for Dummies." A self-described "Windows victim," Woody specializes in telling the truth about Windows in a way that won't put you to sleep.